Java app as Windows Service w/JGSS+Kerberos - should it work?
chriscorbell at gmail.com
Wed Mar 11 20:08:40 EDT 2009
I have a JBoss webservice app that's configured for GSS-API (Kerberos)
authentication of context tokens received from clients. It gets the
GSS-API output token in a soap message and calls acceptSecContext().
GSS-API is configured wtih a Krb5LoginModule and a local keyTab file
(exported from AD). All of this works great.
What doesn't work great is running this JBoss app as an actual Windows
Service - the creation of the server's GSSCredentials fails with "No
valid credentials provided", which I think typically means the keyTab
file isn't found or can't be accessed.
I've tried every type of user for the Widnows Service (LocalSystem, a
local Admin user account w/password, etc.) and verified read perms on
the keyTab file. I'm beginning to suspect it's just a problem with
having the JVM wrapped in a native service process. (I'm using the
Tanuki Java Service Wrapper).
I know this is a fairly specific configuration but I'm hoping someone
may have some experience to offer - have you been able to get a GSS-
API-enabled Java server application running as a Windows Service with
a local KeyTab file? If you have gotten this to work, did you ever see
the above symptom & is there a likely cause? Or if not, could it be
that this simply won't work - is there something about the Java GSS-
API implementation that conflicts with running in a wrapping service
More information about the Kerberos